Internet malware remains a top threat to the Internet today, as clearly demonstrated by the recent large-scale Internet worm outbreaks (e.g., the MSBlaster worm in 2003 and the Sasser worm in 2004). Moreover, every new wave of outbreak reveals the rapid evolution of Internet malware in terms of speed, virulence, and sophistication. Unfortunately, our capability of investigating and defending against Internet malware has not seen the same pace of advancement since the Code Red episode of mid-2001.
In this talk, I will present my research work on an integrated, virtualization-based framework for malware investigation and defense. First, I will introduce a virtualization-based honeyfarm and reverse honeyfarm architecture, called Collapsar, that operates as the front-end 'trap' of various malware attacks. Collapsar is, to the best of our knowledge, the first honeyfarm implementation that enables centralized management of honeypots while still preserving a (virtual) distributed presence. Next, I will present vGround, the back-end virtual 'playground' of captured worms and malware. vGround enables destruction-oriented experiments with real-world malware that were previously expensive, inefficient, or even impossible to conduct. In particular, based on the dynamic infection behavior of real worms revealed by vGround, we have defined a novel behavioral footprinting model for worm characterization and identification, which complements the state-of-the-art content-based signature approach. Our recent enhancement to vGround is a provenance-aware logging mechanism (called process coloring) that achieves higher efficiency and accuracy than existing systems in tracing malware break-in and contaminations. Finally, I will briefly describe my latest work on virtualizing the run-time environment to defend against code-injection attacks by Internet malware, as well as my future research plan.